If you work in the energy industry and have anything to do with technology, you can’t escape the reality of cyberattacks on energy infrastructure.
The warning bell has been ringing for years, and in more than a few cases, attacks have been successfully carried out. These successful attacks are what keep that bell ringing, calling on industry professionals to do more to secure the world’s energy infrastructure from cyberattacks.
There are two trends for us to watch out for in the energy industry now: Threat fatigue and shiny-object-syndrome.
If the warning bell rings long enough, we simply learn to ignore it. The reality is that human beings can only remain on high alert for so long before that becomes the new normal and we simply settle into it. We’re fast approaching this state with the threat of cyberattack on energy infrastructure. It’s fair to say that Stuxnet was the beginning of general awareness for cyberattacks in the energy industry. You’re probably already rolling your eyes now that I brought up Stuxnet.
And you won’t be at all surprised when I draw the line from Stuxnet to the more recent Ukraine attacks. Whether you’re deeply involved in information security or you’re new to the energy industry, you’ve heard these references before. With these types of stories being told repeatedly, the most common reaction to them is fatigue. We’ve been worrying about this threat for nearly a decade. It’s no surprise that a little numbness might set in.
Shiny Object Syndrome
At the other end of the spectrum lies the inescapable pursuit of the next shiny object. In this case, shiny objects are new tools and technologies for addressing the threat. Shiny object syndrome is driven by the relentless examination of how new and sophisticated the threats are.
New, better funded malware is targeting SCADA systems and other energy infrastructure. Just last year, researchers uncovered “SFG,” a strain of malware targeting a European energy company. Aside from targeting energy companies, some of this malware is designed specifically to run in control systems and SCADA environments. The malware is sophisticated and avoids detection by standard anti-virus software. It’s no surprise, that after reading article after article about how each newly discovered malware looks even scarier than the one before, we tend to flock to new tools that specifically address this new threat.
The reality is that neither these responses are effective at actually addressing the real threats to energy infrastructure from cyberattacks. While we may be tired of hearing it, the threats are real and growing. As we connect more infrastructures to networks and the internet, the critical components used to deliver energy to consumers both inherit new risks and expose the risks that were already present, if dormant. While networking is hardly new to energy infrastructure, systems that have long been deployed on isolated networks don’t expose their vulnerabilities to the world because of that isolation. Those same vulnerabilities present a different risk profile entirely when systems are connected to external networks and the internet. At the same time, the differences in specific threats don’t actually change the fundamental nature of the attack in most cases.
Malicious software, or malware, provides an ideal example because it’s both pervasive and continually changing. The reality is that while a specific type of malware may exhibit unique capabilities, all malware requires some mechanism for getting on the target systems, whether they are control systems, HMIs, or the fairly standard servers and workstations that manage them.
The mechanisms for installing malware haven’t changed all that much. They include things like phishing, exploiting vulnerabilities and leveraging misconfigurations in systems. The most effective defenses against these attack vectors are the most foundational security controls. Whether you choose to implement a framework like NIST’s Cybersecurity Framework, or implement best practice controls like those from the Center for Internet Security, the basic groundwork of defending a network doesn’t change. Organizations need to assess risk and deploy resources appropriately. Organizations need to ensure that the systems they’re deploying are configured securely and stay that way. Organizations need to find and remediate vulnerabilities. Organizations need to protect their email from malicious attachments.
These requirements translate to foundational controls like establishing a security policy, implementing vulnerability management, implementing secure configuration management, and putting in place email protections. These foundational controls serve to effectively reduce the attack surface so that attackers simply don’t have as many ways to break in. In fact, this foundation is part of what the Critical Infrastructure Protection standards from NERC aim to establish. The scope of NERC CIP is fairly narrow, however. The energy industry is broader than electric utilities, and all organizations have a myriad of critical devices outside of the electronic security perimeter.
Knowing what the essential priorities are and implementing them well are two different things, however. As an industry we remain at more risk than is necessary because foundational controls aren’t implemented consistently. There are some cases where a foundational control is hard to implement because the systems or environment is distinct, but most cases a strategy of segregation can be applied there. The need for those foundational controls doesn’t change in those environments, though the risk mitigation choices might.
When faced with the very real risk of cyberattacks, we can make a choice in how we respond. We can let the fatigue of constant threat wear us down, but inaction doesn’t help to reduce risk.
We can look for the next shiny object to address the latest risk, but while you might cover that latest threat with a new tool, you’ll leave the door open to the vast majority of attacks that leverage obvious weaknesses. Or we can systematically evaluate the risk from these threats and apply the right foundational controls to address them. There’s no silver bullet in information security, regardless of industry, but implementing basic foundational controls is a strategy that’s proven to effectively reduce risk.
About the author:Tim Erlin is vice president, product management strategy, for Tripwire. He previously managed Tripwire’s Vulnerability Management product line, including IP360 and PureCloud.